Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?

Similar documents
HIPAA -- Compliance and Enforcement Issues

HIPAA Privacy Rule Compliance Issues

HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

Michigan Medicaid False Claims Act

HIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006

Reflections on Privacy: Recent Developments in HIPAA Privacy Rule

Solicitation of New Safe Harbors and Special Fraud Alerts. Portability and Accountability Act of 1996 (HIPAA), this annual

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Corporate Administration Detection and Prevention of Fraud and Abuse CP3030

Model Business Associate Agreement

Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions

Health Care Fraud and Abuse Laws Affecting Medicare and Medicaid: An Overview

rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

RESOLUTION AGREEMENT. I. Recitals

SAINT CHRISTOPHER AND NEVIS STATUTORY RULES AND ORDERS. No. 47 of 2011

POLICIES AND PROCEDURES FOR DETECTING AND PREVENTING FRAUD, WASTE AND ABUSE

Supplement No. 1 published with Gazette No.16 dated 2 August, THE PROLIFERATION FINANCING (PROHIBITION) LAW, 2010 (LAW 23 OF 2010)

Sec. 202(a)(1)(C). Disclosure of Negative Risk Determinations about Financial Company.

False Claims Act Text

Government Investigations Into Cybersecurity Breaches In Healthcare

District of Columbia False Claims Act

Module 1 - Introduction

MARYLAND FALSE CLAIMS ACT. SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, That the Laws of Maryland read as follows:

Sec Penalties. Recovery of overpayments. Time limitation on prosecution. (a) Any person who, through error, has received any sum as benefits

A BILL IN THE COUNCIL OF THE DISTRICT OF COLUMBIA

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

AMENDED AND RESTATED DELEGATION AGREEMENT BETWEEN NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION AND MIDWEST RELIABILITY ORGANIZATION WITNESSETH

UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT

Drivers Privacy Protection Act 18 U.S.C et. seq. (Public Law )

BUSINESS ASSOCIATE AGREEMENT

Wild Animal and Plant Protection and Regulation of International and Interprovincial Trade Act

Act 15 Uganda National Roads Authority Act 2006

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

AMERICAN HOMES 4 RENT. Code of Ethics for Principal Executive Officer and Senior Financial Officers

U.C.A Title. This chapter is known as the Utah False Claims Act.

COMMODITIES TRANSACTION TAX

Proper Business Practices and Ethics Policy

CASELLE, INC. Software as a Service Agreement

Breach Notification and Enforcement

United States v. Telia Company AB Deferred Prosecution Agreement. Defendant Telia Company AB (the Company ), by its undersigned representatives,

New York City False Claims Act

NARCOTIC DRUGS (CONTROL, ENFORCEMENT AND SANCTIONS) LAW, 1990 (PNDCL 236) The purpose of this Law is to bring under one enactment offences relating

Health Practitioners Competence Assurance Act 2003 Complaints and Discipline Process

ATTACHMENT A. CERTIFICATION REGARDING MINORITY BUSINESS ENTERPRISES (applicable if an MBE goal is set)

THE HOTEL LEVY ACT NO.1 OF 1995 ARRANGEMENT OF SECTION

POLICY STATEMENT. Topic: False Claims Act Date Effective: 10/13/08. X Revised New Section: Corporate Compliance Number: 10.05

FREEDOM OF INFORMATION

OVERVIEW OF RELEVANT HEALTHCARE LAWS

THE UNITED REPUBLIC OF TANZANIA THE TAX REVENUE APPEALS ACT CHAPTER 408 REVISED EDITION 2006

DEALING WITH VIOLATIONS IN EXPORT AND IMPORT TRANSACTIONS

BERMUDA TRUSTS (REGULATION OF TRUST BUSINESS) ACT : 22

106TH CONGRESS Report HOUSE OF REPRESENTATIVES INTELLECTUAL PROPERTY AND COMMUNICATIONS OMNIBUS REFORM ACT OF 1999

HOUSE BILL 1040 A BILL ENTITLED. Maryland Compassionate Use Act

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

MARYLAND RULES OF PROCEDURE TITLE 17 ALTERNATIVE DISPUTE RESOLUTION TABLE OF CONTENTS

BERMUDA BERMUDA PUBLIC ACCOUNTABILITY ACT : 29

OVERVIEW OF RELEVANT HEALTHCARE LAWS

NC General Statutes - Chapter 5A 1

(Originally 15 of 2011) (*Format changes E.R. 2 of 2012)

OKLAHOMA FALSE CLAIMS ACT

OVERVIEW OF THE FALSE CLAIMS ACT 31 U.S.C FALSE CLAIMS

BTEA Construction Safety Seminar April 20, 2016

BELIZE EQUAL PAY ACT CHAPTER 302:01 REVISED EDITION 2011 SHOWING THE SUBSTANTIVE LAWS AS AT 31 ST DECEMBER, 2011

Site Access Agreement. (hereinafter referred to as the

Be it enacted by the General Assembly of the Commonwealth of Kentucky: Section 1. KRS is amended to read as follows:

MONEY SERVICES LAW. (2010 Revision) Law 13 of 2000 consolidated with Law 38 of 2002 and Law 35 of 2009.

AT SEA TILE. The United States of America, by and through John McKay, United States Attorney 16

SAINT VINCENT AND THE GRENADINES. The Equal Pay Act ACT NO. 3 OF 1994

CHAPTER 91:01 TRADE ACT ARRANGEMENT OF SECTIONS

BERMUDA ANTI-TERRORISM (FINANCIAL AND OTHER MEASURES) ACT : 31

SELECT ILLINOIS RULES OF PROFESSIONAL CONDUCT

case 3:04-cr AS document 162 filed 09/01/2005 page 1 of 6

ALABAMA SECURITIES COMMISSION ADMINISTRATIVE CODE CHAPTER 830-X-6 EXEMPT SECURITIES AND EXEMPT TRANSACTIONS TABLE OF CONTENTS

ARTICLE 7 - VIOLATIONS, ENFORCEMENT AND PENALTIES

PART XVII COURT PROCEEDINGS

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI WESTERN DIVISION

STATUTORY INSTRUMENTS. S.I. No. 443 of 2014 EUROPEAN UNION (EUROPEAN MARKETS INFRASTRUCTURE) REGULATIONS 2014

Chapter 381. Probation Act Certified on: / /20.

SAMOA INTERNATIONAL MUTUAL FUNDS ACT 2008

Counter-Terrorism COUNTER-TERRORISM ACT Act. No Commencement (LN. 2010/083) Assent Relevant current provisions

SUBTITLE 12. MARYLAND UNIFORM TRADE SECRETS ACT

Number 29 of 2000 ILLEGAL IMMIGRANTS (TRAFFICKING) ACT, 2000 ARRANGEMENT OF SECTIONS. Section 1. Interpretation. 2. Trafficking in illegal immigrants.

Intergovernmental Committee on Intellectual Property and Genetic Resources, Traditional Knowledge and Folklore

CHAPTER Committee Substitute for Committee Substitute for Senate Bill Nos. 716 and 2660

18 U.S.C discretionary restitution. (a) (1)

Legal Issues in Coding

1. The defendant understands her rights as follows:

Protection, enforcement and prosecutions policy

Criminal Provisions and Implications of the Dodd-Frank Act

Beyond Ethics A discussion of Legal Ethics and Professionalism

U. S. Department of Justice. Criminal Division. September 29, 2009

Protection for Persons in Care Act

The following provides a brief summary of the salient provisions relating to forensic DNA:

What is Left of State Privacy Laws: Louisiana, New Mexico, Oklahoma & Texas

BUSINESS ASSOCIATE AGREEMENT

TEXAS ETHICS COMMISSION

LIMITED OFFICIAL USE

Rhode Island False Claims Act

Transcription:

Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution? By: Alan S. Goldberg, JD, LLM* Goulston & Storrs, Boston, MA, Washington, DC, and London, UK Past President, American Health Lawyers Association & Moderator, AHLA HIT listserv Adjunct Professor of Law, University of Maryland School of Law & Suffolk University Law School Webmaster, http://www.healthlawyer.com (sm) [*Not admitted in DC] May 7, 2002 The Administrative Simplification Subtitle of the Health Insurance Portability and Accountability Act of 1996, known as HIPAA, will revolutionize how health information is, and patients are, treated privacy-wise, security-wise, and otherwise. The transactions and data codes sets rule requirements under HIPAA, as well as privacy and security, will be included in the enforcement part of HIPAA. Because of the many changes in health care delivery that HIPAA will require, lots of anxiety has been created about penalties. Certainly few areas of the HIPAA law are more important than the enforcement provisions. Covered entities will need to address their de facto enforcement obligations with respect to business associates in order to avoid governmental enforcement against covered entities. But a careful reading of the law should provide comfort and encouragement that notwithstanding the hype, the enforcement procedure likely will not be so bad after all. Covered entities and business associates who study and learn can be prepared to meet the challenges of the HIPAA law. Note also that not discussed further below are possible state law enforcement activities based upon HIPAA and the new national standard set by HIPAA and likely to be embraced by state Attorneys General and judges in state courts in evaluating privacy and security compliance in health care. In fact, the civil enforcement provisions of the HIPAA law evidence a Congressional mandate that civil sanctions that is, monetary fines -- under HIPAA should be imposed leniently and in a way that will encourage compliance and not make covered entities feel as if they are being persecuted for inadvertent violations of the HIPAA law. Although the Office for Civil Rights, to which the Department of Health and Human Services delegated the HIPAA enforcement responsibility, has not promulgated a proposed -1-

enforcement rule, the HIPAA law provides a clear indication of Congressional intent regarding how enforcement should proceed. It can therefore be expected that the OCR enforcement rule will mirror the HIPAA law enforcement provisions and the enforcement language already set forth in the HIPAA final privacy rule. These civil penalty enforcement provisions of the HIPAA law begin as follows: "GENERAL PENALTY FOR FAILURE TO COMPLY WITH REQUIREMENTS AND STANDARDS SEC. 1176. (a) GENERAL PENALTY.-- (1) IN GENERAL.--Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. "(2) PROCEDURES.--The provisions of section 1128A (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A. Thus the magnitude of a penalty assessment surely can add up, particularly for repeated transactional defaults. But Congress provided a generous and unusual opportunity in HIPAA to prevent, to deflect and possibly to avoid any penalty (emphasis supplied): "(b) LIMITATIONS.-- "(1) OFFENSES OTHERWISE PUNISHABLE.--A penalty may not be imposed under subsection (a) with respect to an act if the act constitutes an offense punishable under section 1177 [namely, HIPAA For Crooks : the criminal provisions]. (2) NONCOMPLIANCE NOT DISCOVERED.--A penalty may not be imposed under subsection (a) with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision. So, if a covered entity is able to satisfy the Office for Civil Rights that the covered entity did not know, and by exercising reasonable diligence would not have known, of a violation of the HIPAA law, no penalty may be imposed under (a). And even if the covered entity did know, or by exercising reasonable diligence would have known that the covered entity would be a violator (emphasis supplied), the possibility of deflecting a penalty would still exist: -2-

"(3) FAILURES DUE TO REASONABLE CAUSE.-- (A) IN GENERAL.--Except as provided in subparagraph (B), a penalty may not be imposed under subsection (a) if-- "(i) the failure to comply was due to reasonable cause and not to willful neglect; and "(ii) the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred. Accordingly, no penalty would be imposed if a failure to comply with the HIPAA law which failure a covered entity knew would be a failure was due to reasonable cause and not to willful neglect, and the failure is corrected within thirty days after the first date on which the covered entity knew, or by exercising reasonable diligence could have known (whether or not, it appears, there was actual knowledge on the part of the covered entity) that the failure occurred. So, after receiving a complaint from the Office for Civil Rights, the possibility exists that a covered entity could promptly correct the problem and thereby avoid any penalties. And more opportunities will exist to have penalties abated (emphasis supplied): "(B) EXTENSION OF PERIOD.-- (i) NO PENALTY.--The period referred to in subparagraph (A)(ii) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply. (ii) ASSISTANCE.--If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A)(ii). Such assistance shall be provided in any manner determined appropriate by the Secretary. So, the thirty-day correction and cure period could be extended by the Office for Civil Rights and during that additional period, the Office for Civil Rights could provide technical assistance. This could mean that the violation would be able to be corrected without any penalty being imposed by the OCR. And finally, a penalty may be reduced (emphasis supplied): "(4) REDUCTION.--In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) that is not entirely waived under paragraph (3) may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved. Thus even if is a penalty was going to be imposed, the Office for Civil Rights could reduce the penalty if deemed to be excessive. As this review of the enforcement part of the HIPAA law indicates, Congress would seem to have intended the civil enforcement procedure to -3-

be a conciliatory and encouraging process and not a process of persecution, because there are so many avenues for mercy to be shown by OCR. Although we have not yet seen the preliminary rule that is being prepared by the Office for Civil Rights right now, we can hope that those working on the enforcement rule adhere to what Congress said in HIPAA. We don t know what will be done regarding the criminal penalties under HIPAA. Perhaps the Department of Justice will offer some guidance regarding what knowing and what intent will be viewed by the DOJ as meaning, under the HIPAA statute, when HIPAA criminal prosecutions occur. In any event, the criminal part of HIPAA penalties is as follows: "WRONGFUL DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION SEC. 1177. (a) OFFENSE.--A person who knowingly and in violation of this part-- (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b). (b) PENALTIES.--A person described in subsection (a) shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. Questions raised by HIPAA for crooks include what knowingly will be found to mean under HIPAA; what intent will be found to mean under HIPAA; whether the confusion that arose under the anti-fraud and anti-kickback laws in health care relative to the sole purpose or only one of several purposes will find its way into HIPAA criminal enforcement; how the law of false claims, conspiracy and obstruction of justice and other such laws will relate to HIPAA enforcement; and how the Office for Civil Rights and the Department of Justice will determine which alleged violations are treated as civil violations and which alleged violations are treated as criminal violations. Surely all covered entities will want to have corporate compliance programs established and maintained in a manner consistent with the Federal Sentencing Guidelines, in order to endeavor either to avoid or to reduce the severity of criminal penalties. With all the foregoing in mind, certainly the sooner covered entities begin the process of getting ready for HIPAA enforcement, the better. The key to avoiding penalties will be having -4-

policies and procedures in place that evidence a good faith intention to endeavor to comply with the HIPAA law. A summary of what to do to endeavor to avoid civil HIPAA penalties follows: Use reasonable diligence to know as much as you can about HIPAA Establish policies that evidence a reasonable approach to prevention Don t be neglectful, willfully or otherwise, or reckless Try to cure breaches within 30 days Ask for an extension if necessary Seek technical advice if necessary Be sure to document everything done in furtherance of HIPAA corporate compliance, preparation, implementation, and education and training. Ignorance will not be bliss, and avoidance will not be blissful. Instead, the only way to prepare for HIPAA is the old fashioned way: study it and learn it. Patients will expect no less, and covered entities surely will want to do even more to assure that their patients receive both quality care and the privacy and security protections, and the benefits of the transactions and data code sets standardization, that patients deserve and, under the law, are going to be required. ASG/tt -5-

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback